Authentication

PaperExchange API v1.0 supports two authentication methods: API Keys and JWT tokens.

Overview

Method	Use Case	Header
`API Key`	Trading bots, scripts, programmatic access	`X-API-Key`
`JWT Token`	Dashboard, web applications	`Authorization: Bearer`

API Key Authentication

API keys are the recommended method for trading bots and automated systems. They provide secure, long-lived access to the trading API.

Creating an API Key

Log in to your dashboard
Navigate to the API Keys section
Click "Create New Key" and give it a name
Copy the key immediately - it won't be shown again

Using Your API Key

Include your API key in the X-API-Key header:

Python Example

import requests

API_KEY = "pe_your_api_key_here"
BASE_URL = "https://api.paperx.co"

response = requests.post(
    f"{BASE_URL}/v1/exchanges/hyperliquid/info",
    headers={
        "Content-Type": "application/json",
        "X-API-Key": API_KEY
    },
    json={"type": "allMids"}
)

print(response.json())

cURL Example

curl -X POST https://api.paperx.co/v1/exchanges/hyperliquid/info \
  -H "Content-Type: application/json" \
  -H "X-API-Key: pe_your_api_key_here" \
  -d '{"type": "allMids"}'

JavaScript/TypeScript Example

const API_KEY = "pe_your_api_key_here";
const BASE_URL = "https://api.paperx.co";

const response = await fetch(`${BASE_URL}/v1/exchanges/hyperliquid/info`, {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "X-API-Key": API_KEY
  },
  body: JSON.stringify({ type: "allMids" })
});

const data = await response.json();
console.log(data);

JWT Token Authentication

JWT tokens are used for dashboard access and web applications. Tokens expire after 24 hours and must be refreshed.

Getting a JWT Token

Obtain a JWT token by logging in with your email and password:

POST /auth/login
Content-Type: application/json

{
  "email": "your@email.com",
  "password": "your_password"
}

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "user_id": "uuid-here",
  "email": "your@email.com"
}

Using JWT Tokens

Include the token in the Authorization header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Security Best Practices

Never expose API keys in client-side code

API keys should only be used in server-side code or secure environments. Never include them in frontend JavaScript or mobile apps.

Use environment variables

Store API keys in environment variables, not in your code. Use .env files for local development.

Rotate keys regularly

Create new API keys periodically and revoke old ones. You can manage keys in your dashboard.

Use separate keys for different environments

Create separate API keys for development, staging, and production environments.

Rate Limits

Rate limits are applied per API key:

Plan	Rate Limit	Max API Keys
Basic	200 requests/minute	5 keys
Pro	500 requests/minute	10 keys

Rate limit headers are included in all responses:

X-RateLimit-Limit - Maximum requests per minute
X-RateLimit-Remaining - Requests remaining
X-RateLimit-Reset - Unix timestamp when limit resets

Next Steps

Now that you understand authentication, learn how to make API requests:

Info Endpoint Reference